[Snort-users] Performance Monitor Graphing Tool
mikelococo at ...11827...
Fri Sep 3 09:54:11 EDT 2010
On 09/02/2010 02:46 PM, Greg Lane wrote:
> Does anybody had a good location to obtain a good perfmonitor graph tool
> for snort? Every link that I have tried doesn’t seem to work and
> nothing is available.
I think a snort-specific tool is the wrong way to do this. You have
interesting trendable data all over the place, and for a (relatively)
small amount of additional effort you cam deploy a general purpose tool
instead. The big open-source players in the space are:
1) Nagios + some graphing framework: Huge user-base and module-list, but
no integrated graphing and probably the worst learning curve.
2) Zabbix: This is what I use. It's not perfect, was very easy to set
up, has excellent integrated graphing, and can collect almost any kind
of data with very little configuration (snmp, agent with support for
custom monitoring items, and various server-side pings).
3) Zenoss: I haven't used, but I gather it's quite flexible and fairly
easy to use.
There are lots of other tools, but these are the three that ended up on
my short-list due to flexibility and robustness. They can all collect
data in a variety of ways, can collect custom-data that you define, can
graph the data (or have well-documented howtos on integrating with
external graphic packages), and allow you do define criteria for events
and notifications. They can also all scale from a few boxes to many
many thousands (I started running Zabbix when I had about a dozen boxes
and the effort/reward tradeoff was immediately beneficial).
With my Zabbix setup, I have a single screen that shows the following
data for all my snort sensors:
* Bandwidth at my taps (snmp)
* Bandwidth to my snort processses (agent custom item)
* Received/dropped packets for snort (agent custom item)
* stream/frag stats (agent custom item)
* CPU usage of various types (agent build-in item)
* RAM usage of various types (agent build-in item)
* Disk I/O activity in bytes and in iops (agent build-in item)
* Free disk space (agent build-in item)
* A list of the top-5 process-names that are using CPU-time (I
can't wait for iotop to work on RHEL so I can get this list
for io-consumers as well, this is an agent custom item).
* Other stuff I can't remember
Since I set this up, I haven't run into a performance anomaly that I
couldn't troubleshoot promptly. Regardless of whether I observe the
event in real-time, I have all the data I need to do evidence-based
troubleshooting. Snort-specific tools get you less than half-way there
because there are so many potential failure points outside the snort
I already outlined how I pull the snort perfmon data into zabbix a few
days ago in a thread titled "A few questions about Solaris", it's quite
More information about the Snort-users